Domain Groups And Windows Authentication
Nov 8, 2006
Hi
We are planning implementation of a currently Sybase db. The users (about 3600) will be i 5 domains and we want single sign-on through trusted connections. We want to use the database roles to define different user access on databases and tables. There will be around 2000 roles. We also want to add the users directly to the database roles without having to grant each user database access.
So I thought that I could add the user groups from all domains and then add each domain user account to specified database roles. Am I right here or what? The Windows authentication will lookup or check the users kerberos ticket during logon process and allow logon.
The documentation here is weak and I assume it's a windows authentication question but wondered if any of you guys had been down the same road.
For creating the groups I have the following options:
Create a domain group and put all the usergroups from the other domains in this group
Add user groups from all other domains directly into the SQL Server.
Any recommendations here?
View 3 Replies
ADVERTISEMENT
Jul 16, 2007
Hi,
I have a client running in a Domain A and a SQL server running in Domain B using Windows security. We don't want to put SQL Server in the mixed authentication mode.
I created a local group on de SQL server. Gave the group correct rights.
Added users from Domain A to that group. Although he prompted me for username password from Domain A it did work.
There is currently no trust between those domains. What kind of a trust should it be ? I believe that a one way trust where B trusts A should be enough.
Any suggestions.
CE
View 1 Replies
View Related
Jan 29, 2007
Hi:
I am trying to figure out if there is a way to connect via SQL Server Management Studio to a server sitting on a separate domain. So here is the situation. there is Server B which sits in a domain called DomainB. If I am in DomainA, I could typically remote into that server utilizing an IP address in DomainB, and even transfer files to that server. But how do I connect via SQL Server Management Studio(basically login as a different domain user) to Server B in DomainB from DomainA. Basically when I choose Windows Authentication from the dropdown list in SQL Server Management Studio, it grays out the username field, which is where I could type something like this domainBusernameondomainB, similar to how you would connect to a share on that server. Please let me know if there is a possibly solution to this. Also, our customer doesnot allow SQL Server Auth/Logins, so that is not an option. Thanks.
View 24 Replies
View Related
Apr 28, 2008
We have a SQL 2005 box that requires windows authentication but I have to connect a laptop that is not part of the domain. Is there any way to do this? Per company policy, the SQL server cannot be changed to use SQL Auth AND Windows Auth. Also per policy, the user's laptop cannot be joined to the domain since it's not a company laptop.
I've tried using the following command:
net use \SQLServerNameipc$ /user:DomainNameDomainAccount Password
and then using enterprise manager to register the sql server but it still says that the computer is not trusted.
Is there something else to this that I am missing or is this just not possible?
Thanks in advance for the help.
View 2 Replies
View Related
Jul 23, 2005
Hi,I have a peculiar problem (or maybe not). I have SQL clients installedon XP boxes. These XP boxes are a member of let us say "XYZ" domain.SQL Server is installed on one of the boxes having Windows 2000 Serverin the same network. The installation has been done on local domainaccount. Since SQl Server has been installed with Windowsauthentication, what happens if the XYZ domain fails. Will it bepossible for all clients to access the database present on SQL Serverin the Win 2K box. I think I have made myself clear upto some extent.Please throw light on how to accomplish the connectivity between SQLclients and server in case of domain failure.Regards,Vinodi
View 2 Replies
View Related
Feb 24, 2007
If my SQL Server authentication is windows integrated authentication, whenever my application makes a connection to SQL server does it contact the windows active directory domain controller to authenticate the windows user account? How does windows integrated authentication work in the background?
View 9 Replies
View Related
Feb 13, 2007
Hi There
I have service broker working 100% with an initiator - forwarder - target, all in the same domain using windows authentication on the endpoints, for all instances' the sql server service run under the same domain account, which in turn is granted connect on the various endpoints. This all works 100%
However i have a scenario where the initiator will be in a different trusted domain.
I need to know if i am correct in thinking that the initiator sql server servcie account can run under DomainAsqlservice, the target instance sql server servcie can run under DomainBsqlservice, then on the forwarder i simply grant connect on the forwarder endpoint to both DomainAsqlservice and DomainBsqlservice.
Is this correct, will this work?
Thanx
View 6 Replies
View Related
Nov 16, 2006
Greetings,
One of my users gets the following error when he tries to connect to my SQL Server 2000 database using windows authentication via Query Analyzer:
[Micorsoft][ODBC SQL Server Driver][SQL Server] Login failed for user '(null)'. Reason: Not associated with a trusted SQL Server connection.
Me and the server are located in Colorado and are on the NADomain. User is in London on the EURDomain. The EURDomain has a one way trust to the NADomain to use NADomain resources. I have granted access to the database to the user via Enterpise Manager as EURDomainuserid. All the literature I've read says this should be sufficient to connect but isn't. User can connect with SQL Server authentication. Users on the NADomain in Toronto can connect just fine with Windows Authentication. EURDomain user can access other file server resources in the same building as the SQL Server in Colorado.
SQL Server version is:
Microsoft SQL Server 2000 - 8.00.818 (Intel X86) Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4)
EURDomain Client ODBC version is 2000.85.1022.00 and MDAC is 2.8.
Any help is greatly appreciated.
View 5 Replies
View Related
May 11, 2007
How to give authentication for Send Mail Task component?
View 4 Replies
View Related
Apr 18, 2007
Hi there,I have installed MS SQL Server 2005 on my machine with windows authentication. But now I want to switch the authentication mode to SQL Authentication. I am unable to switch, I can’t find the proper way to do so here in 2005.Could any one help me in doing this?Thank you,-Ahsan
View 1 Replies
View Related
Mar 25, 2004
Hi
Im currently working on a intranet and trying to set up some security. The intranet acesses a SQL server 2000 database. I would like to know if there is a stored procedure(or other way) of returning all the domain groups that a user belongs to when passed the users NT login. I found xp_enumgroups which returns all the groups on the domain and also xp_logininfo which returns the users of a passed domain group. These are usful but i need to just pass the NT username and return all the Domain Groups. Any thoughts, ideas would be great!
Cheers
View 1 Replies
View Related
Jan 15, 2007
Hi
I have a customer that was using Sql 2005 Express on a W2k3 server. They then decided to turn the server in to a second domain controller. When they did this Sql Express stopped working, I'm guess because the account the service was running as nolonger existed (Network Service account). Because of this they demoted it back to just a member server, but still the sql express service wouldn't start.
When I look at their server now I have noticed that the Sql2005$ accounts Sql express created during installation are all missing.
What I want to do now is set the Sql express setvice to use a domain account (using the SqlServer configuration manager), but I'm concerned that because the sql2005$ groups are missing things won't run as expected.
Should I be worried about these accounts?
What would happen when it becomes a domain controller anyway, won't these local account disappear and hence my new sqlexpress service account wouldn't have permission to the sql server data folders??
Thanks for your help
Graham
View 3 Replies
View Related
Mar 25, 2004
Hello,
(Using win2k, sqlserver2k, framework 1.1)
I have an fairly data-heavy application that uses Windows authentication (Trusted connection/aspnet account) to connect to Sql Server. The site uses IIS basic authentication.
On the dev server everything works fine but when I move to the live server things get strange and it starts to crawl along. (Pages load OK but then it just crawls as it loads the datagrids etc. Sometimes it brings back incomplete/incorrect data )
BUT When I use Sql Authentication to connect to Sql Server and there is no problem at all!
Ok, there is something obviously wrong with the live server (which is identical setup to dev)but I dont know where to start.
Any ideas??
View 2 Replies
View Related
May 15, 2006
Hi all,
I've got two applications which both have a database on my MS SQL 2000 server. The problem is, one application must use Windows Integrated Authentication (which it is currently using and cannot be changed) whilst the other application which I'm trying to configure must use a SQL password.
Since the server has already been configured to use Windows Integrated Authentication for the existing database and application, how do I configure the other database to use the SQL password?
Thanks.
View 1 Replies
View Related
May 12, 2006
Hi all,
My work is using a shared application
which accesses a MSSQL 2000 database. To access the application, the
folder on the Windows 2003 Server is shared and users can access the
folder through a shared drive.
For the application to access the
database, it uses an ODBC connection to the MSSQL server which
originally used the SA password.
We have recently switched to using
Windows Integrated Authentication because we believe it offers a
higher level of security. However the only way in which we have been
able to enable this is to add the windows users to the SQL server.
The problem with this is that the
application sets permissions for individual users on what records
they can see within the database. We have found that by adding the
windows users to the SQL Server, they can bypass the permissions the
set by the application by simply using any application that can use
an ODBC connection, such as Enterprise Manager, and see all the
database.
One way around this would be to set up
domains of users with access privileges to the tables which reflect
the permissions set by the application, and configuring a view of the
data so they may only see the records that they have permissions to.
However to do this would require a high administrative cost to ensure
that changes made in the application are reflected in the privileges
of the SQL server.
Instead, is there a way the SQL server
can authenticate that the ODBC connection is coming from the correct
application using Windows Integrated Authentication?
This would allow the applcation to
determine security, and stop users from connecting to the SQL server
using other applications.
Alternatively, can the SQL server,
using Windows Integrated Authentication, also ask the application to
supply a username and password?
Any help with this matter would be
greatly appreciated.
Thanks!
View 4 Replies
View Related
Mar 26, 2008
Hallo there,
I just upgraded from Windows XP Pro to Windows Vista Bussiness and tried to reinstall SQL Server 2005 Developers Edition. After the installation i downloaded (using microsoft windows update) and installed all the service packs for sql and vista available.
My problem is when i open sql server management studio and try to connect to my default instance using windows authentication and database engine, an 18456 error occurs.
I enabled all the protocols and all the ports
I disabled windows firewall and antivirus (eset nod32)
I installed all service packs available
I have also installed Visual Studio 2005 without installing sqlexpress
But nothing happens!
Please i am very desperate, any information will be gratefully accepted.
This is my installation Information
Code Snippet
Microsoft SQL Server Management Studio 9.00.3042.00
Microsoft Analysis Services Client Tools 2005.090.3042.00
Microsoft Data Access Components (MDAC) 6.0.6001.18000 (longhorn_rtm.080118-1840)
Microsoft MSXML 3.0 5.0 6.0
Microsoft Internet Explorer 7.0.6001.18000
Microsoft .NET Framework 2.0.50727.1434
Operating System 6.0.6001
Thank you in advance,
Patonios
View 3 Replies
View Related
Sep 26, 2006
I'm trying to run a test from my test environment which is a non-domain Windows 2000 server to access my domain 2003 with SQL2005. I have install 2005 tools to try to access the SQL server.
- I have try following the KB265808 - no success.
- Reading alot of blogs and it seems all are pointing to the same problem. "Remote access" but the settign is enabled.Error Message:
TITLE: Connect to Server
------------------------------
Cannot connect to ardsqldatawh.
------------------------------
ADDITIONAL INFORMATION:
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server) (Microsoft SQL Server, Error: 53)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=53&LinkId=20476
Question: Could Windows 2003 security be blocking access? I'm using sa account to access.
Also, sa account does not seems to work for remote access. It is ok when accessing locally.
Any help would be appreciated.
949jc
View 1 Replies
View Related
Jul 23, 2005
Hi,Apologies for not knowing much around this subject, we currently run sqlserver 2000 for a database and have each user marked up on the database.We are moving to use a windows security group, so taking themanagement slightly away from the database server.What I would like to know is, will this effect functions such assuser_sname() by returning the group name instead of user id? I wouldassume not but it's worth checking!Also, I'm guessing if a user is marked on the database as their own idand as part of a security group, then all permissions are thrown in withdeny taking preference? How does this work with a database owner who isalso part of a security group that has limiting functionality?Thanks for your help,Chris
View 1 Replies
View Related
Feb 13, 2008
We have a problem authenticating domain users contained in local machine user groups across multiple web servers in a scale out deployment.
When we originally setup our single SSRS database server we were told the a best practice is to add domain users to local user groups on the SSRS machine.
Now we want to add more web servers and create a scale-out deployment. So, we added the web servers and configured the scale-out deployment. But, only administrators can see the reports since all of our SSRS roles are assigned permissions such as "Machine1User_Group".
We were told that we have to create identical local groups on Machine2 and Machine3 and then add them to the SSRS roles. This is prohibitive since it would mean managing 3 identical user groups containing thousands of domain users.
Is there a better way to do this without using Domain User Groups?
Thank you for any assistance.
View 3 Replies
View Related
May 8, 2003
Hello
Can anyone tell me what is the difference between sql authentication and windows authentication.
Examples of each would be very useful
Many thanks in advance
Steve
View 2 Replies
View Related
Oct 16, 2006
Would anyone please help me out here. which of the 2 modes of authentication is better and why??
View 3 Replies
View Related
Dec 18, 2006
Hi,
Say, I have configured my SQL to use Mixed Authentication. Now, I have a applicaiton which uses my SQL Server. The application just creates a database in SQL Server and uses the database to store its information.
This application also has a SYSTEM DSN under ODBC through which it accesses the database. For the application to access this database, should I only use SA (as my SQL instance is configured to use Mixed Authentication) or can I use Windows Authentcation too...
If I should only use SA, do we have a documentation which talks about this.
Thanks
Santhosh
View 1 Replies
View Related
Mar 12, 2008
For using different services of SQL SERVER 2005 which is better...
Windows Authentication or SQL Server Authentication?
what are the advantages and disadvantages of both?
View 5 Replies
View Related
May 30, 2007
We're getting an error where we can't add a login with the full dns name of a user - domain.xyzuser, for example. Get an error 15401, "Windows NT user or group domain.xyzuser' not found". The domain has a different Netbios name and DNS domain names, so we can add the user when we use the form "netbiosnameuser". So far so good.
Unfortunately, we have another application - Office Share Point Server whose shared services provider won't run, giving errors in the event log every 60 seconds that "Windows NT user or group 'domain.xyzuser' not found".
It looks as if SQL insists upon listing users in the form netbiosdomainnameuser, and applications that look for domain.xyzuser simply fail to authenticate.
Suggestions?
jnfranc at yahoo period com
View 3 Replies
View Related
Apr 4, 2007
Hi,
I am new to Reporting Services. I want to use Reporting Services 2005 in our application.
My custom web application is on one machine and Reporting Services 2005 is on other machine. I am using Forms Authentication and using Single Sign On for login
If my custom web application and Reporting Services are on same machin I can get "Authentication Ticket" issued by ReportingServices2005 to the Report server.
But in this case I am not able to get "Authentication Ticket" on Report Server since it is on other machine.
I am using ReportViewer control in my web application to display Reports and using LogonUser method to get the Authentication Ticket.
How can I pass CookieAuthentication ticket from my Custom Web Application to Report Server?
Is there any work around to pass Authentication Cookie across Domain or any other solution for this?
Regards
Amit
View 3 Replies
View Related
Feb 1, 2008
Hi.
I wonder if it is possible to set forms authentication for report manager but leave report server "as it is". I need to authenticate users from external LDAP and can't use windows authentication for report manager, but I would also like to leave report server open for anonymous users. In that way authenticated administrators could create reports which anonymous users could read.
I tested the Security Extension Sample and got it working when I rewrote the authentication part with my own LDAP authentication.
If I have understood correctly, the report manager is just application inside report server so is it possible to use forms authentication with one application but still leave the report server with Windows authentication?
View 1 Replies
View Related
Jul 20, 2005
I have observed that a temporary loss of a domain controller can causeproblems creating new ado connections between a client machine runningado and a separate sql server machine that are members of the domain.I understand why this happens when creating connections with windowsauthentication. What is a mystery is that it also sometimes effectsnew connections that use "sql authentication". Below is a descriptionof my test scenario.a. Setup 3 machines.i. one domain controller machine. windows 2000 based. I have triedboth a regular domain setup and a domain setup in compatibility mode.ii. one sql server machine that is a member of the domain. windows2000.iii. one client machine running an ado test program that communicateswith the sql server machine. I have tried both 2000 and xp.b. Start your test ado program and create a connection.c. Fire a query.d. It should work.e. Unplug the network cord on the domain controller.f. Create a new connection and fire a new connection about a minute orso after.g. It should work. Apparently the client caches account informationfrom the domain controller for a certain amount of time. The timeseems to be shorter by default in xp than 2000.h. Wait 20 minutes or more.i. Create another new connection. You will notice a timeout error.If your using windows authentication the timeout will happen 100% ofthe time. That is to be expected. If your using sql authenticationthe timeout seems to happen about 50% of the time. I can't explain itother than some strange Microsoft bug. I speculate that it may besome bug with the way ado caches connections. Perhaps a previouslysetup windows authentication connection gets reused by a request for asql authentication connection. However I haven't been able to proveit.Any insight you can offer would be appreciated. I also have a testprogram you can use to reproduce this behavior if you are interested.Thanks,Frank
View 2 Replies
View Related
Dec 16, 2013
I am attempting to set up an always on cluster on VMware for testing. setting up everything through the Failover cluster is fine, the trouble comes when I try to set up the AlwaysOn availability group. Whenever I attempt to specify a network location I receive the following error: Operating System Error 1265(The system cannot contact a domain controller to service the authentication request..).
I looked up this error and most sites point towards a Windows 8 homegroup issue. Since this is a on a domain, I don't think it is relevant. I also added the service accounts from server A to Server B and visa versa. I even added the computer objects to its opposite partner..I have attempted to use "Join Only" and do a manual copy.
View 1 Replies
View Related
Oct 11, 2002
Hi, i had installed on a lan, sql server 2000 (administrative and client tools) on workstations with windows nt4 ws.
The problem is that i shouldn´t give users permissions of "local administrator".
If I give them permissions of only "local users" they can´t start sql services, but they can start the enterprise manager.
If I give them permissions of "advanced users" they can start sql services, but they can´t start the enterprise manager.
What can i do for this to work well, without give them manager rights?
Thank you.
View 7 Replies
View Related
Jul 23, 2005
Hi there,I have an Access front end application that uses a SQL Server 2000Desktop Edition backend. I have created a package with the Access2003 runtime that I'd now like to deploy. I have created a globalgroup in the domain and placed the users that I'd like to give accessto the database (via my application front end) in that group. I'vethen created a local group on the SQL Server machine and added myglobal SQL Server group to it. I've also added that local group asdatabase user from SQL Server. From my reading of the variousmaterial on the Internet this should work but it doesn't. I can'taccess the database via the application from any machine other than mydevelopment machine. My VBA code specifies integrated security forthe connection string.Help please! I'm so close to deploying this and now I'm bogged downin security. Any ideas anyone has would be appreciated. Accountadministration and Windows security is not my strong suit.Barb
View 2 Replies
View Related
Jan 9, 2008
I want to map users/groups of a .NET application which uses MS SQL Server to Windows users/groups. Then grant pemission to the Windows users/groups to access the MS SQL Server.
If possible, I want to list Windows Users and Groups regardless of whether Active Directory is used or not.
View 1 Replies
View Related
Oct 19, 2005
Those of you who have installed SQL Server 2005 may have noticed that the installation creates several new Windows groups on the server. Do not underestimate the importance of these groups.
View 3 Replies
View Related
Aug 29, 2006
I created a Windows Group in Active Directory ("Database1Users"). populated it with users, and planned to allow everyone in it to have access to a sql 2005 database.
I went to the sql server, Security (at the general level), Logins, New login, and created the Login "<domain name>Database1Users". I assigned "Database1" as Default database, selected the database and assigned it to the above user name (which is actually a group name). I also typed in a default schema of "dbo" and gave the user account the role "db_owner" (just learning....) . Pressing OK gave me this error message:
>>>>
The DEFAULT_SCHEMA clause can not be used with a Windows Group or with principals mapped to certificates or an asymmetric keys."
>>>>
Oh..... how am I supposed to map a Windows group to give the users the access they need?
TIA,
barkingdog
View 1 Replies
View Related